Thus, as part of the campaign’s effort to stake out some ground on national security issues, then-Senator Obama gave a speech and met with national experts on technology and emerging threats at Purdue University in the summer of 2008. In the speech, he took the bold step of declaring U.S. cyber infrastructure “a strategic asset,” an important phrase in government-speak that means it is something worth defending. He also pledged to appoint a senior White House advisor who would report directly to him and gave a general commitment to make cyber security “a top federal priority.” In the accompanying fact sheet, which my coauthor Rob Knake drafted along with two MIT computer scientists, John Mallery and Roger Hurwitz, he went a step further, criticizing the Bush Administration for moving too slowly in the face of the risks associated with cyberspace, and pledging to initiate a “Safe Computing R&D effort” to “develop next-generation secure computers and networking for national security applications,” to invest more in science and math education, and to create plans to address private-sector vulnerabilities, identity theft, and corporate espionage.
A few weeks later, the cyber threat was hammered home to Obama in a very serious way. The FBI quietly informed the campaign that it had reason to believe Chinese hackers had infiltrated the campaign’s computer systems. I asked one of my business partners, Paul Kurtz (who had worked on cyber security on both the Clinton and Bush White House staffs), to take a team of cyber security experts out to the Chicago headquarters to assess the extent of the damage and see what could be done to secure the systems. The Chinese hackers had focused on draft policy documents. They had used some sophisticated techniques, hidden beneath more obvious activity.
When the campaign quietly put together an unofficial transition team weeks before election day, I asked everyone working on national security planning to stop using their home computers for that purpose. Even though what they were writing was unclassified, it was of interest to China and others (including, presumably, John McCain, not that his campaign had shown much understanding of cyber technology). With the campaign’s blessing, we distributed “clean” Apple laptops and locked them down so they could only connect to one thing, a virtual private network we created using a server with a completely innocuous name. I knew we were going to be in trouble when I started getting calls complaining about the security features. “Dick, I’m at a Starbucks and this damn machine won’t let me connect to the wi-fi.” “Dick, I want to pull some files off of my Gmail account, but I can’t access the Internet.” I tried to point out that if you are a senior member of the informal national security transition team, you probably should not be planning the takeover of the White House from a Starbucks, but not everyone seemed to care.
Shortly before the inauguration, Paul Kurtz and I provided the new White House team with a draft decision document to formalize the proposals Obama had advocated in the Purdue speech. We argued that if Obama waited, people would come out of the woodwork to try to stop it. Although the most senior White House staff understood that problem and wanted a quick decision, it was, understandably, not a high priority for them. Instead, the new Obama White House announced a Sixty Day Review and asked one of the drafters of Bush’s CNCI to run it. This was despite the fact that Jim Lewis and the Commission on Cyber Security for the forty-fourth Presidency had already spent over a year working to achieve a consensus view on what the next President needed to do, releasing their report on December 8, 2008. When, 110 days later, the President announced the results, guess what? It was CNCI redux. It also had a military Cyber Command, but not a cyber war strategy, not a major policy or program to defend the private sector, nothing to initiate international dialogue on cyber war. And, déjà vu all over again, the new Democratic President went out of his way to take regulation off the table: “So let me be very clear: my administration will not dictate security standards for private companies.”
What Obama did not announce in his public remarks after the Sixty Day Review was who would be the new White House cyber security czar. Few qualified people wanted the job, largely because it had no apparent authority and had been altered to report directly to both the Economic Advisor and the National Security Advisor. The Economic Advisor was the ousted former Harvard president Larry Summers, who had made it clear that he thought the private sector and market forces would do enough to deal with the cyber war threat without any additional government regulation or role in their affairs. Months went by during which the best efforts of the White House personnel office failed to convince candidate after candidate that this was a job worth taking.
Thus, for the first year of his administration, Obama had no one in the White House trying to orchestrate a government-wide, integrated cyber security or cyber war program. Departments and agencies did their own thing, or did nothing. The two lead agencies in defending America from cyber war were U.S. Cyber Command (to defend the military) and the Department of Homeland Security (to defend, well, something else). The head of U.S. Cyber Command kept a low profile for most of 2009 because the Senate had not yet agreed to give him his fourth star. To get the promotion from three stars, General Keith Alexander would have to answer questions before a Senate committee, and that committee wasn’t too sure it understood what U.S. Cyber Command was actually supposed to do. Senator Carl Levin of Michigan asked the Pentagon to send over an explanation of the command’s mission and strategy before he would agree to schedule a confirmation hearing.
While Senator Levin was trying to figure out what Cyber Command was supposed to be protecting and General Alexander was “in the quiet period” before his hearing, I wasn’t too clear on what Homeland Security was supposed to protect. Therefore I went to the source and asked Secretary Janet Napolitano. She graciously agreed to meet with me at her department’s headquarters. Unlike other cabinet departments, which tend to be headquartered in monumental edifices or modern office blocks near the National Mall, the newest department is run from a barbed-wire-enclosed encampment in northwest Washington, D.C. Behind the wire are a series of low-rise redbrick buildings that, seen from the street, appear like a Nazi army kaserne. It is little wonder that when civil servants were forced to move in they gave the place the nickname Stalag 13, after the fictional German prison camp in the long-running television comedy show Hogan’s Heroes.
In fact, the facility had been the headquarters of the U.S. Navy’s cryptographical service, the predecessor of the new 10th Fleet. Like U.S. Navy bases everywhere, this one came with a little white church and cute little street signs. One street is named “Intelligence Way.” To get to the Secretary’s office, we walked through a seemingly endless sea of gray Dilbert cubicles. Napolitano’s personal office was only slightly better. For the former Governor of Arizona, the dismal ten-by-twelve-foot office was a distinct comedown. Nonetheless, she had managed to cram a bronco-busting saddle into one corner. But the place had a temporary feel to it, six years after the department had been created. “We’re moving to a big new headquarters,” the Secretary explained, trying to emphasize the positive. The new headquarters, on the grounds of St. Elizabeth’s, Washington, D.C.’s shuttered insane asylum, would be ready in year ten of the department’s existence, maybe.
“Even though the government was closed for a holiday yesterday, I spent it meeting with executives form the financial sector, talking to them about cyber security,” Napolitano began. It was Cyber Security Awareness Month at the department and she had scheduled a number of events. I asked her what the greatest cyber security threat was. “The highly skilled lone hacker, cyber criminal cartels…” she replied. Well, what if there were a cyber war, I asked. “The Pentagon would have the lead in a war, but we would do consequence management of any damage in the U.S.” What about preventing the damage so that there would be fewer consequences to manage? “We are growing the capability so that we might be able to protect the dot-gov domain.
Well, if U.S. Cyber Command is protecting dot-mil and you will one day protect dot-gov, who is protecting everything else, like th
e critical infrastructure, which is in the private sector? “We work with the private sector groups, the Information Sharing and Analysis Centers in the eighteen critical industries, to share information with them.” That is not the same thing as the U.S. government protecting the critical infrastructure from cyber war attacks, is it? No, the Secretary admitted, it wasn’t. Doing that, she suggested, was not Homeland Security’s job.
Homeland Security is developing a system to scan cyber traffic going to and from federal departments, looking for malware (viruses, worms, etc.). The immodestly named “Einstein” system had grown from mere traffic flow monitoring (Einstein 1) to intrusion and malware detection (Einstein 2) and will soon attempt to block Internet packets that appear to be malware (Einstein 3). As part of the effort to defend the government sites, Homeland and the General Services Administration are attempting to reduce the number of portals from the Internet to the dot-gov domain. Then Homeland will place Einstein 3 on each of those portals into dot-gov to scan for malware. The Einstein network will be run by Homeland’s newly consolidated cyber security division, the National Cybersecurity and Communications Integration Center in Ballston, Virginia.
If DHS can get this to work, I asked, why just limit it to protecting the federal government? “Well, we may want to look later on at taking it out more broadly.” Secretary Napolitano, who is a lawyer and a former federal prosecutor, added that there would be legal and privacy hurdles to having the government scanning the public Internet for cyber war attacks. Well, then, could she employ regulatory authority to make critical infrastructure improve their own ability to defend from cyber war attacks, and to regulate the ISPs or the electric power companies? To her credit, Secretary Napolitano did not rule those possibilities out either, even though President Obama himself had seemed to in his cyber security speech in May 2009. But regulation, she noted, would come only after information sharing and voluntary measures had been shown to fail, and in year one of the Obama Administration it was too early to make that judgment. Of course, information sharing and voluntary measure approach had been tried for over a decade.
What was within her responsibilities was to secure the dot-gov domain, and Napolitano was pleased to report that DHS was looking for one thousand new employees with cyber security skills. Immediately critics wondered publicly why highly qualified cyber geeks would want to work for Homeland when everyone from Cyber Command to Lockheed and Bank of America was recruiting them. Napolitano said she was working to get the personnel rules changed so that she could pay salaries competitive with the private sector, and she was looking into creating satellite offices in California and other places away from Washington where geeks “might prefer to live.” I thought I heard in her voice the longing for back home that many in the Washington bureaucracy secretly harbor. As we left the Secretary’s office, the head of the U.S. Coast Guard, Admiral Thad Allen, was waiting outside. “Glad to see you survived the interview with Dick,” the Admiral joked. “I survived,” the Secretary replied, “but now I’m depressed about cyber war.”
Why had Clinton, Bush, and then Obama failed to deal successfully with the problem posed by America’s private-sector vulnerability to cyber war? People who have worked on this issue for years all have slightly different answers, or differences in emphasis. Let’s explore six of the reasons they most often give.
1. THE GREATEST TRICK
The first reason you hear is that many cyber attacks that have happened have left behind no marks, no gaping crater like Manhattan’s Ground Zero. When private-sector firms have their core intellectual property stolen, they usually don’t even know it happened. To understand the problem that creates, imagine that you work in a museum with valuable objects, let’s say sculptures and paintings. When you leave the museum at the end of the day, you turn on an alarm system and make sure that the video recorder is running and is connected to the surveillance cameras. In the morning, you return. The alarm has not gone off overnight, but just to be sure, you scan through the video of the last twelve hours and satisfy yourself that no one was inside the museum while you were gone. Finally, you check all the sculptures and paintings to be sure that they are still there. All is well. Why ever would you then think you had a security problem?
That is essentially the situation that the Pentagon was facing in the late 1990s and continues to face today. There may be some low-level activity of people trying to penetrate their networks, but doesn’t the security software (firewalls, intrusion-detection systems, intrusion-prevention systems) deal effectively with most of the threats? Why would the brass think that their intellectual property, their crown jewels, war plans, engineering drawings, or software was now residing on hard drives in China, Russia, or anywhere other than just on their systems?
The difference between art thieves and world-class hackers is that with the best of the cyber thieves, you never know you were a victim. “Hell, the U.S. government does [number withheld] penetrations of foreign networks every month,” one intelligence official told me. “We never get caught. If we are not getting caught, what aren’t we catching when we’re guarding our own?” How do you convince someone that they have a problem when there is no evidence you can give them? The data isn’t missing like the Vermeer that was snatched from the Isabella Stewart Gardner Museum in Boston in 1990. This sounds like a new problem, unique to cyberspace. Historians of military intelligence, however, have heard this tale before.
In the Cold War the United States Navy was confident that it could defeat the Soviet naval forces if it ever came to a shooting war, until they learned that a family of Americans had given the Soviets a unique advantage. The Walker family, including an employee at the National Security Agency and his son in the U.S. Navy, had supplied the Soviets with the Navy’s top-secret codes, the cryptology that scrambled and unscrambled messages to and from our ships. The Red Navy knew where our ships were, where they were going, what they were ordered to do, and which major weapons and other systems onboard were not working. We were unaware that the Soviets knew these things because, although we assumed that they were intercepting our message traffic coming over radio frequencies, we were very confident that they could never unscramble our code. They probably never could have, until they bought the descrambling key from some trusted Americans.
The U.S. Navy’s smug arrogance about the security of its Cold War codes was hardly unique in the history of code-breaking: the Japanese thought that no one could read their naval codes during World War II, but the United States and the United Kingdom were doing just that. Some historians believe that the U.S. Navy defeated the Imperial Japanese Navy precisely because of code-breaking skills. Certainly the decisive U.S. victory in the Battle of Midway was due to the advanced knowledge of Japanese plans gained from code-breaking. It is a reasonable assumption that over several decades many nations’ codes, presumed to be unbreakable by their users, were (or are) actually being read by others.
Even though historians and national security officials know that there are numerous precedents for institutions thinking their communications are secure when they are not, there is still resistance to believing that it may be happening now, and to us. American military leaders today cannot conceive of the possibility that their Secret (SIPRNET) or Top Secret intranet (JWICS) is compromised, but several experts I spoke to are convinced that it is. Many corporate leaders also believe that the millions of dollars they have spent on computer security systems means they have successfully protected their company’s secrets. After all, if anybody had gotten inside their secret files, the intrusion detection system software would have sounded an alarm. Right?
No, not necessarily. And even if the alarm did go off, in many cases that would not have caused anyone to do anything very quickly in response. There are ways of penetrating networks and assuming the role of the network administrator or other authorized user without ever doing anything that would cause an alarm. Moreover, if an alarm does go off, it is often such a routine occurrence on a large netwo
rk that nothing will happen in response. Perhaps the next day someone will check the logs and notice that a couple of terabytes of information were downloaded and transmitted outside of the network to some compromised server, the first stop on a multistage trip intended to obscure the final destination. Or, perhaps, no one will notice that anything ever happened. The priceless art is still on the museum walls. And if that is the case, why should the government or the bottom-line-conscious executive do anything?
I mentioned in chapter 2 the 2003 phenomenon code-named Titan Rain. Alan Paller, a friend who runs the SANS Institute, a cyber security education and advocacy group, described what happened on one afternoon in that case, November 1, 2003.
At 10:23 p.m. the Titan Rain hackers exploited vulnerabilities at the U.S. Army Information Systems Engineering Command at Fort Huachuca, Arizona.
At 1:19 a.m. they exploited the same hole in computers at the Defense Information Systems Agency in Arlington, Virginia.
At 3:25 a.m. they hit the Naval Ocean Systems Center, a Defense Department installation in San Diego, California.
At 4:46 a.m. they struck the U.S. Army Space and Strategic Defense installation in Huntsville, Alabama.
There were lots of days like that. Not only were Defense facilities hit, but terabytes of sensitive information left NASA labs, as well as the computers of corporations such as Lockheed Martin and Northrop Grumman, which have been given contracts worth billions of dollars to manage security for DoD networks. Cyber security staffs tried to figure out the techniques being used to penetrate the networks. And their blocking efforts seemed to work. One participant in these defensive efforts told us that “Everyone was all self-congratulatory.” He shook his head, pulled a grimace, and added softly, “…till they realized that the attacker had just gone all stealthy, but was probably still stealing us blind. We just couldn’t see it anymore.” The case names Moonlight Maze and Titan Rain are now best thought of as fleeting glimpses of a much broader campaign, most of which went unseen. It may seem somewhat incredible that terabytes of information can be removed from a company’s network without that company being able to stop it all from going out the door. In the major cases we know about, the companies or federal organizations usually did not even detect that an exfiltration of data had occurred until well after it had taken place. All of these victims had intrusion-detection systems that are supposed to alarm when an unauthorized intruder attempts to get on a network. Some sites even had the more advanced intrusion-prevention systems, which not only alarm but also automatically take steps to block an intruder. The alarms remained silent. If you have a mental image of every interesting lab, company, and research facility in the U.S. being systematically vacuum cleaned by some foreign entity, you’ve got it right. That is what has been going on. Much of our intellectual property as a nation has been copied and sent overseas. Our best hope is that whoever is doing this does not have enough analysts to go through it all and find the gems, but that is a faint hope, particularly if the country behind the hacks has, say, a billion people in it.
Cyber War: The Next Threat to National Security and What to Do About It Page 13
